[Impala-ASF-CR] IMPALA-8100: Add initial support for Ranger

Fredy Wijaya (Code Review) Wed, 20 Mar 2019 18:21:52 -0700

Fredy Wijaya has uploaded a new patch set (#17). ( 
http://gerrit.cloudera.org:8080/12632 )


Change subject: IMPALA-8100: Add initial support for Ranger
......................................................................

IMPALA-8100: Add initial support for Ranger

This patch adds an initial support for Ranger that can be enabled via
the following flags in both impalad and catalogd to do enforcement.
- ranger_service_type=hive
- ranger_app_id=some_app_id
- authorization_factory_class=\
    org.apache.impala.authorization.ranger.RangerAuthorizationFactory

The Ranger plugin for Impala uses Hive service definition to allow
sharing Ranger policies between Hive and Impala. Temporarily the REFRESH
privilege uses "read" access type and it will be updated in the later
patch once Ranger supports "refresh" access type.

There's a change in DESCRIBE <table> privilege requirement to use ANY
privilege instead of VIEW_METADATA privilege as the first-level check
to play nicely with Ranger. This is not a security risk since the
column-level filtering logic after the first-level check will use
VIEW_METADATA privilege to filter out unauthorized column access. In
other words, DESCRIBE <table> may return an empty result instead of
an authorization error as long as there exists any privilege in the
given table.

This patch updates AuthorizationStmtTest with a parameterized test that
runs the tests against Sentry and Ranger.

Testing:
- Updated AuthorizationStmtTest with Ranger
- Ran all FE tests
- Ran all E2E authorization tests

Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276
---
M be/src/service/frontend.cc
M be/src/util/backend-gflag-util.cc
M bin/rat_exclude_files.txt
M common/thrift/BackendGflags.thrift
M fe/pom.xml
M fe/src/main/java/org/apache/impala/analysis/DescribeTableStmt.java
M fe/src/main/java/org/apache/impala/authorization/AuthorizationChecker.java
M fe/src/main/java/org/apache/impala/authorization/AuthorizationPolicy.java
M fe/src/main/java/org/apache/impala/authorization/AuthorizationProvider.java
M 
fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java
M fe/src/main/java/org/apache/impala/authorization/NoneAuthorizationFactory.java
M fe/src/main/java/org/apache/impala/authorization/Privilege.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationConfig.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationFactory.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaPlugin.java
A 
fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java
M 
fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationChecker.java
M 
fe/src/main/java/org/apache/impala/authorization/sentry/SentryAuthorizationFactory.java
M fe/src/main/java/org/apache/impala/service/BackendConfig.java
M fe/src/main/java/org/apache/impala/service/Frontend.java
M fe/src/test/java/org/apache/impala/analysis/AnalyzerTest.java
M fe/src/test/java/org/apache/impala/analysis/AuditingTest.java
M fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java
M fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java
M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java
M fe/src/test/java/org/apache/impala/authorization/sentry/SentryProxyTest.java
M fe/src/test/java/org/apache/impala/common/FrontendFixture.java
M fe/src/test/java/org/apache/impala/common/FrontendTestBase.java
M fe/src/test/java/org/apache/impala/testutil/CatalogServiceTestCatalog.java
M fe/src/test/java/org/apache/impala/testutil/ImpaladTestCatalog.java
A fe/src/test/resources/ranger-hive-audit.xml
A fe/src/test/resources/ranger-hive-security.xml
M impala-parent/pom.xml
M testdata/bin/create-load-data.sh
M testdata/cluster/.gitignore
A testdata/cluster/ranger/setup/impala_service.json
A testdata/cluster/ranger/setup/impala_user.json.template
38 files changed, 1,131 insertions(+), 237 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/32/12632/17
--
To view, visit http://gerrit.cloudera.org:8080/12632
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I8cad9e609d20aae1ff645c84fd58a02afee70276
Gerrit-Change-Number: 12632
Gerrit-PatchSet: 17
Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Austin Nobis <ano...@cloudera.com>
Gerrit-Reviewer: Bharath Vissapragada <bhara...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Paul Rogers <prog...@cloudera.com>
Gerrit-Reviewer: Philip Zeyliger <phi...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <t...@apache.org>

[Impala-ASF-CR] IMPALA-8100: Add initial support for Ranger

Reply via email to